How to monitor switch ports – networking monitor?
Every IT working guy, during his career (especially if he is focused on network administration roles) will get at least once a task to monitor/analyze traffic for a certain device.
You can imagine I can’t cover all devices and ways to monitor but i will try to explain in a few words the bigger picture and then go into a few details regarding Cisco way of doing this, with the request that if you know some other method please share it with us and also if you have a question that wasn’t covered in this topic, write it as a comment and I can investigate further if needed and provide you with an answer.
Let’s say you have a machine/device that generates a lot of traffic for the network. In any case, you need to locate your target first, in other words find the device that you suspect is the source of your problem, see where it connects to and find the port where the device is plugged in. You will need to replicate (mirror) the traffic that passes through that port to another port. This means all the traffic that will come out of that port (comes from server) or will go to the server (goes in to the server) will have to be sent to another port, where you will have a computer plugged in with a traffic analyzing tool.
If you don’t have this setting activated on the switch from the beginning, most of the software available for probing/analyzing network won’t work and will only see parts of the traffic that moves in and out of the switch, not the one you need.
This problem can be solved with a variety of settings like monitoring a VLAN traffic, for example all ports in a VLAN will be mirrored to a single port, where you will have a computer with traffic monitoring tool.
On Cisco systems we can manage this by using the SPAN option. The logic behind SPAN is something like this:
There are multiple ways to enable port mirroring, depending on the type of Cisco Switch you have or the IOS version they include. I will mention the commands for a few models and give the rest on request, by expanding this topic.
SPAN on Catalyst 2900XL/3500XL Switches
Fastethernet 0/1 – destination port (the port where we want to send all mirrored traffic, we will have a computer with analyzing software connected to this port)
Fastethernet 0/2 – source port (port that we want to monitor, and have all the traffic sent/received by this port mirrored/replicated to port Fa0/1)
Fastethernet 0/3 – source port (port that we want to monitor, and have all the traffic sent/received by this port mirrored/replicated to port Fa0/1)
The commands would be:
Switch(config)#interface fastethernet 0/1
Now that we are on the interface configuration mode we will have to add the ports to be monitored:
Switch(config-if)#port monitor fastethernet 0/2 Switch(config-if)#port monitor fastethernet 0/3
With these commands, every packet that these two ports receive or transmit is also copied to port Fa0/1.
SPAN on the Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750 and 3750-E Series Switches
The Catalyst 2950 Switches can have only one SPAN session active at a time and can monitor only source ports. These switches cannot monitor VLANs.
The Catalyst 3550, 3560, and 3750 Switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs.
The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure a RSPAN session.
The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
Only one destination port is allowed per SPAN session, and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.
The SPAN feature configuration commands are similar on the Catalyst 2950 and Catalyst 3550. However, the Catalyst 2950 cannot monitor the VLANs.
The commands are:
SW1#configure terminal SW1(config)# SW1(config)#monitor session 1 source interface fastethernet 0/1 !--- This configures interface Fast Ethernet 0/1 as source port. SW1(config)#monitor session 1 destination interface fastethernet 0/2 !--- This configures interface Fast Ethernet 0/2 as destination port. SW1(config)# SW1#show monitor session 1 Session 1 --------- Source Ports: RX Only: None TX Only: None Both: Fa0/1 Destination Ports: Fa0/2 SW1#
The only thing left to do now is the final step, this means connecting a computer to the port you have as destination for the traffic (ports) you enabled mirroring and installing a traffic analyzer tool like wireshark or network miner. I would recommend the first one as I played with it a lot more and did help me with my needs, although I’m pretty sure there are even better tools but they require a fee. Installing wireshark doesn’t really need good technical skills as for configuring it, just let the defaults active and use Start button to capture traffic on the network interface card connected to the port set as destination for all mirrored traffic.